I am working on OIDC workflow. The scenario is that a user can login as many times as he/she want to. On this situation, more than one sessions will be established and more than one access_tokens and id_tokens will be granted. I am wondering if there is a way to know how many sessions does a user have. Or does OKTA has a API to destroy all the sessions of the user?
https://developer.okta.com/docs/api/resources/users.html#clear-user-sessions
You can kill all sessions and pass a query param (oauthTokens) to also delete any access and refresh tokens.
This endpoint does not support GET. Are you trying to list the user’s valid sessions as well? Or primarily interested in deleting all sessions?
Thank you Tom @tom . Your answer is very helpful.
However, you are right, I am trying to list the user’s valid sessions and OAuth tokens as well.
Our scenario is that the user can login within only one browser window. For example, if the user logs in with chrome and then tries to logs in with firebox, the user’s session in chrome will be deleted and corresponding tokens will be revoked. We want to make sure that the user is active in only one browser window. So we want to know sessions and tokens the users already have when the user logs in.
Could you provide some suggestions?
Thanks.